Leftover Hash Lemma and its Applications rkm0959 (Gyumin Roh) October 18th Outline Introduction and Motivation Bunch of Terminology The Leftover Hash Lemma Application 1: Random Number Generation Application 2: Quantum Key Distribution Application 3: Learning With Errors Further Works References Table of Contents Introduction and Motivation Bunch of Terminology The Leftover Hash Lemma Application 1: Random Number Generation Application 2: Quantum Key Distribution Application 3: Learning With Errors Further Works References I Suppose I have a secret bit string of length 8, b1b2b3 ··· b8. I It doesn’t serve real meaning, just for password purposes. I You do somehow know that b1 6= b2, b2 = b3, b4 = 1. I You want to find my bit string by brute-force. I How many possibilities do you need to check? Introduction I Let’s begin with a simple puzzle :) I How many possibilities do you need to check? Introduction I Let’s begin with a simple puzzle :) I Suppose I have a secret bit string of length 8, b1b2b3 ··· b8. I It doesn’t serve real meaning, just for password purposes. I You do somehow know that b1 6= b2, b2 = b3, b4 = 1. I You want to find my bit string by brute-force. Introduction I Let’s begin with a simple puzzle :) I Suppose I have a secret bit string of length 8, b1b2b3 ··· b8. I It doesn’t serve real meaning, just for password purposes. I You do somehow know that b1 6= b2, b2 = b3, b4 = 1. I You want to find my bit string by brute-force. I How many possibilities do you need to check? I Here’s an intuitive explanation. I There are 8 unknown bits. I There are 3 bits of information. I Therefore, the answer is 28−3 = 32. Introduction I It’s not hard to see the answer is 32. Introduction I It’s not hard to see the answer is 32. I Here’s an intuitive explanation. I There are 8 unknown bits. I There are 3 bits of information. I Therefore, the answer is 28−3 = 32. I Case 1: I know what information you have. I Just change my secret to b1b5b6b7b8. I Now you know nothing, and there are 32 possibilities. I Case 2: I do not know what information you have. I Now what? I This is where Leftover Hash Lemma comes in! Introduction I I feel kinda bad that you have some information on my secret. I I think I should be able to "compress" my secret? I Goal: You have no information about my secret. I Case 2: I do not know what information you have. I Now what? I This is where Leftover Hash Lemma comes in! Introduction I I feel kinda bad that you have some information on my secret. I I think I should be able to "compress" my secret? I Goal: You have no information about my secret. I Case 1: I know what information you have. I Just change my secret to b1b5b6b7b8. I Now you know nothing, and there are 32 possibilities. I This is where Leftover Hash Lemma comes in! Introduction I I feel kinda bad that you have some information on my secret. I I think I should be able to "compress" my secret? I Goal: You have no information about my secret. I Case 1: I know what information you have. I Just change my secret to b1b5b6b7b8. I Now you know nothing, and there are 32 possibilities. I Case 2: I do not know what information you have. I Now what? Introduction I I feel kinda bad that you have some information on my secret. I I think I should be able to "compress" my secret? I Goal: You have no information about my secret. I Case 1: I know what information you have. I Just change my secret to b1b5b6b7b8. I Now you know nothing, and there are 32 possibilities. I Case 2: I do not know what information you have. I Now what? I This is where Leftover Hash Lemma comes in! I A: partial leakage of secret information can be critical! I A: brute-force is not the only possible attack in cryptography. I A: here’s a very good example in RSA. Textbook RSA I Public Key: N and e with gcd(e; φ(N)) = 1. I p; q are large primes, so factorization of N = pq is hard. I Private Key: d such that ed ≡ 1 (mod φ(N)). I Encryption of m: c = me (mod N). I Decryption of c: m = cd (mod N). I Factorization of N is equivalent to deriving d. I Details: rkm0959.tistory.com/131 Motivation I Q: Why do you feel the need to compress anyway? I Q: Amount of brute-force remains the same. I Q: Is rkm0959 delusional? Textbook RSA I Public Key: N and e with gcd(e; φ(N)) = 1. I p; q are large primes, so factorization of N = pq is hard. I Private Key: d such that ed ≡ 1 (mod φ(N)). I Encryption of m: c = me (mod N). I Decryption of c: m = cd (mod N). I Factorization of N is equivalent to deriving d. I Details: rkm0959.tistory.com/131 Motivation I Q: Why do you feel the need to compress anyway? I Q: Amount of brute-force remains the same. I Q: Is rkm0959 delusional? I A: partial leakage of secret information can be critical! I A: brute-force is not the only possible attack in cryptography. I A: here’s a very good example in RSA. Motivation I Q: Why do you feel the need to compress anyway? I Q: Amount of brute-force remains the same. I Q: Is rkm0959 delusional? I A: partial leakage of secret information can be critical! I A: brute-force is not the only possible attack in cryptography. I A: here’s a very good example in RSA. Textbook RSA I Public Key: N and e with gcd(e; φ(N)) = 1. I p; q are large primes, so factorization of N = pq is hard. I Private Key: d such that ed ≡ 1 (mod φ(N)). I Encryption of m: c = me (mod N). I Decryption of c: m = cd (mod N). I Factorization of N is equivalent to deriving d. I Details: rkm0959.tistory.com/131 Motivation Theorem (Partial Key Exposure : Coppersmith) Let N = pq be an n-bit RSA modulus. Then given the n=4 least significant bits of p or the n=4 most significant bits of p, one can efficiently factor N. Same applies for q. Theorem (Partial Key Exposure : Boneh, Durfee, Frank) Let hN; di be a private RSA key in which N is n bits long. Given the n=4 least significant bits of d, one can reconstruct all of d in time linear in e log e. Note that e = 216 + 1 is usually used. I A: First, generation of "truly random" bits is a hard task. I A: Also, plz just wait until applications section :P I Also, it’s not bad to be extra cautious in cryptography :) I Cryptographers have very high standards in their schemes. I Now that we have all the motivation, we begin. Motivation I Q: Wait, why not just generate a new random secret? I Also, it’s not bad to be extra cautious in cryptography :) I Cryptographers have very high standards in their schemes. I Now that we have all the motivation, we begin. Motivation I Q: Wait, why not just generate a new random secret? I A: First, generation of "truly random" bits is a hard task. I A: Also, plz just wait until applications section :P Motivation I Q: Wait, why not just generate a new random secret? I A: First, generation of "truly random" bits is a hard task. I A: Also, plz just wait until applications section :P I Also, it’s not bad to be extra cautious in cryptography :) I Cryptographers have very high standards in their schemes. I Now that we have all the motivation, we begin. Table of Contents Introduction and Motivation Bunch of Terminology The Leftover Hash Lemma Application 1: Random Number Generation Application 2: Quantum Key Distribution Application 3: Learning With Errors Further Works References I Then we will transform them into mathematical ones! I You have some information on my secret. I You have some probability distribution over my secret. I I have no idea what information you have. I I have no idea what your distribution is. I At least I hope/know that you have no good guesses. I max Pyou(secret = X ) should be small. X I I want to change my secret so that you have no info on it. I I want your distribution to be close to uniform. What Do We Want? I Let’s briefly summarize my goal, in simpler terms. I You have some information on my secret. I You have some probability distribution over my secret. I I have no idea what information you have. I I have no idea what your distribution is. I At least I hope/know that you have no good guesses. I max Pyou(secret = X ) should be small. X I I want to change my secret so that you have no info on it. I I want your distribution to be close to uniform. What Do We Want? I Let’s briefly summarize my goal, in simpler terms. I Then we will transform them into mathematical ones! I You have some probability distribution over my secret. I I have no idea what your distribution is.